Wednesday, November 18, 2015

AD-Powershell for Active Directory Administrators

http://social.technet.microsoft.com/wiki/contents/articles/5819.ad-powershell-for-active-directory-administrators.aspx

Computer object commands



List all computer accounts in a domain

Get-ADComputer –Filter {Name –Like "*"}

View all computers that are logged in for 90 days to the Active Directory

Search-ADaccount -AccountInactive -Timespan 90 -ComputersOnly

OR

$lastLogon = (get-date).adddays(-90).ToFileTime()
Get-ADComputer -filter {lastLogonTimestamp -gt $lastLogon} 
Find and delete all disabled Computer accounts in Active Directory

Search-ADAccount -AccountDisabled -ComputersOnly | Sort-Object | Remove-ADComputer

Find and delete disabled computer accounts from a specific OU

Search-ADAccount -AccountDisabled -Searchbase "OU=IT,DC=Contoso,DC=Com" -ComputersOnly | Sort-Object | Remove-ADComputer

Find and delete all computer accounts that no longer have signed up since 11/20/2011 to the Active Directory

Search-ADAccount -AccountInactive -DateTime "20.11.2011" –ComputersOnly | Sort-Object | Remove-ADComputer
List only disabled Computer accounts in Domain
Search-ADAccount -AccountDisabled -ComputersOnly | Format-Table Name

Move Computer to other OU (example: Computer=CLIENT1 to OU=IT)

Get-ADComputer CLIENT1 | Move-ADObject -TargetPath "OU=IT,DC=Contoso,DC=Com"

See Computer account detail (example: Computer=CLIENT1)

Get-ADComputer -Filter {Name -Like "CLIENT1"}

Get a specific computer showing all the properties (example: Computer=CLIENT1)

Get-ADComputer "CLIENT1" -Properties *

List Computers (Name, Operating System, Service Pack, Operating System version)

Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap –Auto

Export Computers List (Name, Operating System, Service Pack, Operating Systemversion)to CSV File

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-CSV AllWindows.csv -NoTypeInformation -Encoding UTF8

Get Computer IPv4 Address and DnsHostName

Get-ADComputer -Filter {Name -Like "Computer-Name"} -Properties IPv4Address | Format-List Name,DnsHostName,IPv4Address

Get all Computers in a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADComputer -SearchBase "OU=IT,DC=Contoso,DC=Com" -filter *

Get all the Computers without a specific DNS suffix

Get-ADComputer -filter "DnsHostName -notlike '*.Contoso.Com'"

Get Computer Service Principal Names (SPNs)

Get-ADComputer "Computer-Name" –Properties ServicePrincipalNames | Select-Object –Expand ServicePrincipalNames

Get Computers Security Identifiers (SIDs)

Get-ADComputer -Filter {Name -like "*"} | Select Name,SID | Format-Table -Auto 

All computer accounts that were created in the last 90 days in the Active Directory

Get-ADComputer -Filter * -Properties whenCreated | ? { ((Get-Date) - $_.whenCreated).Days -lt 90} | Format-Table Name,WhenCreated,Name,DistinguishedName -Autosize -Wrap

All computer accounts that were created as of December 1, 2011 (12/01/2011) in the Active Directory

Get-ADComputer -LDAPFilter "(&(objectCategory=person)(whenCreated>=20111201000000.0Z))" -Properties whenCreated | Format-Table Name,whenCreated,distinguishedName -Autosize -Wrap

All computer accounts that were created here in a given time, between the 10/01/2011 and 12/01/2011 in Active Directory

$Start = Get-Date -Day 01 -Month 10 -Year 2011 -Hour 00
$End = Get-Date -Day 01 -Month 12 -Year 2011 -Hour 23 -Minute 59
Get-ADComputer -Filter * -Properties whenCreated | ? { ($_.whenCreated -gt $Start) -and ($_.whenCreated -le $End) } | Format-Table Name,WhenCreated,DistinguishedName -Autosize -Wrap

All computer accounts, Last Password Set in a given time, between the 10/01/2011 and 12/01/2011 in Active Directory
$Start = Get-Date -Day 01 -Month 10 -Year 2011 -Hour 00
$End = Get-Date -Day 01 -Month 12 -Year 2011 -Hour 23 -Minute 59
Get-ADComputer -Filter * -Properties PasswordLastSet | ? { ($_.PasswordLastSet -gt $Start) -and ($_.PasswordLastSet -le $End) } | Format-Table Name,WhenCreated,DistinguishedName -Autosize -Wrap

All computer accounts, Last Password Set in the last 90 days in Active Directory
$Date = (Get-Date).AddDays(-90)
Get-ADComputer -Filter * -Properties PasswordLastSet | where { $_.PasswordLastSet -le $Date } | Format-Table Name,PasswordLastSet,DistinguishedName -Autosize -Wrap

Group object commands


List all members of a group (example: Group=Experts)

Get-ADGroupMember Experts | Format-Table Name

All properties of a group (example: Group=IT)

Get-ADGroup IT -Properties *

List only Universal Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))"

List only Global Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))"

List only Domain Local Security groups

Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))"

List all Group memberships for a user (example: User=EdPrice)

Get-ADAccountAuthorizationGroup EdPrice

Move a Group to another OU (example: Group=Experts, Old-OU=IT, New-OU=Service, Domain=Contoso.com)

Move-ADObject "CN=Experts,OU=IT,DC=Contoso,DC=com" -TargetPath "OU=Service,DC=Contoso,DC=com"

Add members to a group (example: Group=Experts, User=EdPrice)

Add-ADGroupmember Experts -Member EdPrice

Delete Group (example: Group=Experts)

Remove-ADGroup Experts

Delete a User from a Group (example: Group=Experts, User=EdPrice)
Remove-ADGroupMember Experts -Member EdPrice

Set Description for a Group (example: Group=JoinPC, Description=This group is allowed join PCs to Domain)
Set-ADGroup JoinPC -Description "This group is allowed join PCs to Domain"

Add Users from one Group to another Group (example: from Group1=DataUsers to Group2=SQLUsers)
Get-ADGroupMember DataUsers | Select sAMAccountName | ForEach { Add-ADGroupMember SQLUsers -Members $_.sAMAccountName }
Comparing two Groups to see the Group memberships (example: Group1=Administratorso, Group2=DNSAdmins)
Compare-Object ( Get-ADGroupMember Administrators) ( Get-ADGroupMember DNSAdmins) -IncludeEqual

Organizational Unit (OU) commands


All OUs in Domain

Get-ADOrganizationalUnit -Filter {Name -like „*“} | FT Name, DistinguishedName -A

Create OU (example: OU=IT, Domain=Contoso.com)

New-ADOrganizationalUnit -Name IT -Path "DC=Contoso,DC=Com"

Contents of a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADObject -Filter {Name -Like "*"} -Searchbase "OU=IT,DC=Contoso,DC=Com"

Rename OU (example: Old-Name=IT, New-Name=Admin, Domain=Contoso.com)

Rename-ADObject "OU=IT,DC=Contoso,DC=Com" -NewName Admin

Delete OU including contents (example: OU=IT, Domain=Contoso.com)

Remove-ADOrganizationalUnit IT -Recursive

Delete user from specific OU (example: User=EdPrice, OU=IT, Domain=Contoso.com)

Remove-ADObject "CN=EdPrice,OU=IT,DC=Contoso,DC=Com"

Move all objects from one OU to another OU (example: Old-OU=IT, New-OU=Manager, Domain=Contoso.com)

Get-ADObject -Filter {Name -Like "*"} -Searchbase "OU=IT,DC=Contoso,DC=Com" -SearchScope OneLevel | Move-ADObject -TargetPath "OU=Manager,DC=Contoso,DC=Com"



User object commands



List all User accounts in the Domain

Get-ADUser –Filter *

List all User accounts in a specific OU (example: OU=IT, Domain=Contoso.com)

Get-ADUser –Filter * -Searchbase "OU=IT,DC=Contoso,DC=Com" | FT

List all User accounts from specific City (example: City=NewYork)

Get ADUser -Filter {city - like "NewYork"} | FT

List only disabled User accounts in Domain
Search-ADAccount –AccountDisabled –Usersonly | FT Name

List all User accounts whose First Name is Ed

Get-ADUser –Filter {givenName –Like "Ed"} | FT

List all User accounts whose Last Name is Price

Get-ADUser –Filter {Surname –Like "Price"} | FT

List all User accounts from the specific Department (example: Department=Support) 

Get-ADUser –Filter {Department –Like "Support"} | FT

List a User's Group memberships (example: User=Richard)

Get-ADPrincipalGroupMembership -Identity Richard 

List all Users from specific Group and move Users to another OU (example: Group=People, Target OU=NewYork, Domain=Contoso.com)

Get-ADGroupMember People -Recursive | Move-ADObject  –TargetPath "OU=NewYork,DC=Contoso,DC=Com"

Remove all users in an OU from a specific Group (example: Group=People, OU=NewYork, Domain=Contoso.com)

$Users = Get-ADUser -Filter * -Searchbase "OU=NewYork,DC=Contoso,DC=Com"
Remove-ADGroupMember -Identity People -Member $Users -Confirm:0
Posted by at No comments:
Labels: , ,

Tuesday, October 13, 2015

How to add EBS volume to Linux machine in AWS

1.     Login to AWS console
2.     Create 50 GB volume
3.     Attach to the Linux instance
4.     Login to the Linux server
5.     After completing above step, now new volume will list your system. You can check this using ‘fdisk -l‘ command
6.     Create a File system to newly added EBS volume with below command (In my case new disk      is:/xvdj)
mkfs /dev/xvdj
7.     Make a directory with below command (In my case directory name is "mountdriveE")
mkdir /mountdriveE
8.     Mount this disk to mount point with below command
mount /dev/xvdj /mountdriveE
9.     Add below entry at the end of file /etc/fstab for permanent

/dev/xvdj    /mountdriveE  ext4    defaults        1 1
Posted by at No comments:
Labels: ,

Thursday, July 23, 2015

How to Delete Files which exceed 255 Characters Without 3rd Party Tools

create an empty folder on C:\ called test then used the mirror switch to copy the test folder to the HomeDrives folder.

robocopy /MIR c:\test D:\xxx\xxx\xxx
Posted by at No comments:
Labels: ,

Wednesday, April 8, 2015

How do I find out what service is using a certain port?

We have freeware tool "currports"

http://www.nirsoft.net/utils/cports.html


Posted by at No comments:
Labels: ,

Monday, March 2, 2015

Seizing An Operations Master with NTDSUTIL in Windows Server 2008 R2

http://www.msserverpro.com/seizing-an-operations-master-with-ntdsutil-in-windows-server-2008-r2/

In real network, when operations master server fails due to hardware issues or some other problems, we need to move the operation master role to another domain controller as soon as possible. This move process is called seizing. Therefore, Seizing an operations master role means forcing an operations master role onto another domain controller. Before we seize operations master roles, we must permanently disconnect the domain controller that holds the operations master roles  from the network.
Here, all Operation Master Roles are on KTM-DC01-2K8 domain controller. In this scenario, currently this server is Offline due to hardware problems. So we get an error when we open Operations Masters roles on other domain controller KTM-DC02-2K8. To solve this problem, we have to seize Operations Masters roles and reassign it to KTM-DC02-2K8 domain controller as soon as possible.
Before KTM-DC01-2K8 become Offline, all Operations Masters Roles are in the KTM-DC01-2K8.
Use ntdsutil to perform this procedure:
1. Log on to KTM-DC02-2K8, working DC.
2. Open Command prompt, in the Run box, type cmd and then Click OK.
3. At the Command Prompt, type ntdsutil and press Enter.
4. At the ntdsutil prompt, type activate instance NTDS and press Enter.
5. At the ntdsutil prompt type roles and then press Enter.
6. At the fsmo maintenance prompt, type? and press Enter to see a list of available commands.
7. At the fsmo maintenance prompt, type connections and press Enter.
8. At the server connections prompt, type? and press Enter for the help Information.
9. At the server connections prompt, type connect to server followed by the fully qualified domain name (FQDN) of the domain controller that will be the new role holder, and then press Enter. Here FQDN will beKTM-DC02-2K8.msserverpro.com.
10. At the server connections prompt, type quit and press Enter.
11. At the fsmo maintenance prompt, type one of the following commands to seize the appropriate operations master and press Enter.
      i.) Seize infrastructure master
      ii.) Seize naming master
     iii.) Seize PDC
     iv.) Seize RID master
      v.) Seize schema master
12. At the fsmo maintenance prompt, type quit and then press Enter to gain access to the ntdsutil prompt.
13. At the ntdsutil prompt, type quit and then press Enter to quit the ntdsutil utility.
14. At the Command prompt, type netdom query fsmo to verify all the Operation Masters Roles in KTM-DC02-2K8.msserverpro.com.

Summary:
Seizing an Operations Master role is critical whenever the Primary Domain Controller is non-functional for business continuity. The above article outlines how to carry out the role seizing operations. I hope this helps.
Posted by at No comments:
Labels: ,

Tuesday, February 10, 2015

Get Started with Ansible on the cloud

http://cloudacademy.com/blog/get-started-with-ansible-on-the-cloud/?utm_content=buffer3e169&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer


Posted by at No comments:
Labels: ,

Sunday, February 1, 2015

CONFIGURING TRUSTS – PART 4

http://www.rebeladmin.com/2015/02/configuring-trusts-part-4/

This is the last part of the series which explain about “Trusts” between infrastructures. If you not checked the other 3 parts yet you can find them in here.
This article will explain how to configure trusts between infrastructures.
Demo Setup
For the demonstration I will be using following setup.

Organization
Domain
Primary DC
Contoso Ltd.
Contoso.com
Microsoft Windows Server 2012 R2
XYZ Ltd.
Xyz.com
Microsoft Windows Server 2012 R2
I am going to initiate a “Forest Trust” between the 2 organizations. It will be Two-Way trust which allows each forest, domains and users to access “allowed” resources in each organization infrastructure.
Before start the process the initial step is to make sure following ports are open in firewalls in both organizations to initiate the trusts.
UDP Port 88 – Kerberos Protocol
TCP and UDP Port 387 – LDAP
TCP Port 445 – Microsoft SMB
TCP Port 135 – Trust endpoint resolution
In order to initiate a trust you need to login as user account which is member of Domain Admins or Enterprise Admins groups.
Also you need to consider about the DNS ( domain name services )before proceed with the trust initiation process. If both organizations using root DNS server coming for both forests it will not be an issue. But if not you need to create DNS Zones in each forest dns servers. In here for the demo I have setup secondary dns zone with transferring copy of running DNS zone on XYZ.com. I have explain DNS zone setup in one of my previous articles in blog. If you not familiar with the process please refer to it here
dns1
1)    To start the process I will log in to contoso.com domain as enterprise administrator.
2)    Then Server Manager > Active Directory Domains and Trusts
t1
3)    In active directory domains and trust snap-in right click on contoso.com domain and click properties
t2
4)    In next window go to “Trusts” tab and click on “New Trust” button
t3
5)    It will open the “New Trust Wizard” click next to start the process
t4
6)    In next window we need to specify the DNS name or the netbios name of the domain we going to initiate trust with. In our demo it will be “xyz.com”. then click next to continue
t5
7)    In next window we need to select the trust type. I have selected “Forest Trust” and click next to continue
t6
8)    We are going to setup “Two-Way” trust so in next window I selected “Two-way” from the list and click continue
t7
9)    Trusts are need to initiate in both sides. But if you have appropriate access permissions to the remote forest, you can initiate it. In next window it give option to initiate the trust in remote forest. Since I do have access I select “Both this domain and specified domain” and click next
t8
10)    In next window I have specified the logins to initiate trust in remote forest (the account need to be member of Domain Admins or Enterprise Admins groups). Then click next to continue
t9
11)    In next windows it ask to select the authentication scope for local forest. In here I select forest-wide authentication
t10
12)     In next windows it ask to select the authentication scope for remote forest. In here I select forest-wide authentication
t11
13)    In  next window it gives brief description about the selections we made and click next to initiate the trust
t12
14)    In next window it asks about routed name suffixes for the local forest. I will use default and click next
t13
15)    In another window it asks to confirm the outgoing trust. Since we initiated the other side of trust, select yes and click next
t14
16)    Next window it asks to confirm incoming trust. Since we initiated the other side of trust, select yes and click next
t15
17)    Then it gives confirmation about the successfully create trust. Click finish to exit from wizard.
t16
18)    In remote XYZ.com we can confirm the initiate trust by looking in to domain properties like we did in steps 1-3
t17
This completes the process of creating forest-trust. The options selected on process will change based on trust type, authentication scope etc.
Testing
For the testing purpose of the trust I have created following scenario.
Contoso domain file server hosts a folder called “Share-Contoso”. We need to provide access to user account called “xyz-user” from XYZ forest to this particular folder.
After initiating the trust, when we going to apply share permission to the “Share-Contoso” folder now we can select users from the XYZ.com domain.
sh1
sh2
After applying permissions I am trying to log in to contoso file server from remote location ( here I used a pc which is not added to domain ) and once its ask to provide logins I have provided the login info for xyz-user for XYZ.com domain.
sh3
Once it’s authenticated we can see it’s provided the access to relevant share.
sh4
As we can see the trust is successfully initiated. 
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)